This entry was posted by Gerald Barnhart on February 15, 2014 at 3:29 pm

It was the best of times, it was the worst of times: In an effort to jumpstart the U.S. economy amidst the runaway blight of the “Great Recession” and financial crisis beginning in 2008, Congress scrambled to enact and then distribute its unprecedented and controversial $787 billion economic stimulus package. Among other things, the Stimulus Bill acted as a vehicle for another landmark piece of legislation, the HITECH Act, which sought to lay the foundations for sweeping healthcare reform.

Not only did the HITECH Act aim to encourage the bloated healthcare industry to lower costs and adopt healthcare information technology and electronic health records, it brought key changes to HIPAA privacy and security provisions as well. In January, these changes were finalized, and they important implications for all digital health companies, technology providers and app developers.

The rule changes (and the rules themselves) are complex, and they require startups and engineers to put in a lot of work to maintain compliance. In healthcare, where the need for efficiency-increasing, cost-reducing technology (and more engineers) is paramount, this is a problem. In a lot of cases, rather than take the time to become HIPAA-compliant, startups and developers are pairing back the features and functionality of their applications. This reduces the overall value proposition of the product and strips it of an important part of the feedback loop.

Luckily, TrueVault has your back. Launching out of Y Combinator’s most recent batch of startups, TrueVault is on a mission to unburden startups of the time-consuming, progress-stalling process of HIPAA compliance so that they can get back to focusing on what’s really important: Fixing the healthcare experience.

Over the last two years, there’s been an explosion in mobile health apps. The problem, however, is that many of them are crap. Some of them are just clones, but many of them lack the kind of functionality that people want out of a mobile health app. The average consumer wants to access health information, not uncontextualized data, but the new changes to HIPAA require compliance from apps and technology that delivering health information.

TrueVault wants to solve this problem by offering a secure API to store health data and simplify the complexity of HIPAA compliance. The idea is to save startups hundreds of development hours by ensuring that they can avoid worrying about setting up and maintaining a HIPAA-compliant application stack. Instead, TrueVault handles all physical and technical safeguards required by HIPAA, while working like the majority of API services, says co-founder Trey Swann.

TrueVault targets startups, web and mobile apps and wearables, enabling them to store and search protected health information (PHI) in any file format through RESTful APIs. It will sign a “Business Associate Agreement, and protects customers under a comprehensive Privacy and Data breach insurance policy,” as HIPAA is wont to make everyone do.

Now of course, you may say: “But, Rip, there are plenty of HIPAA-compliant hosting providers. What about those?” Touche, my friend. Touche. Familiar names like AWS, FireHost and RackSpace all offer HIPAA-compliant posting and will sign a BAA. So, you could move your applications and health data over to one of the big players.

Many startups are facing this “build vs. buy” decision right now. That’s why co-founder Trey Swann sees big opportunity for TrueVault. The value proposition that TrueVault claims over HIPAA-compliant hosting providers, he says, is that they still require companies to spend months building a HIPAA-compliant app stack in that environment, which require a laundry list of technical specifications.

The other benefit is cost. If a company wants to sign a BAA with AWS, it needs to use dedicated instances and each instance hour is 10 percent more than the standard fee. Plus, their meter starts at $1,500/month if they want to become HIPAA-compliant with AWS (meter starts at $2/instance hr, over a month it is approx. $1,500). FireHost, on the other hand, starts at $1,115/month and you are charged a $250 premium for each HIPAA-ready instance that’s added.

Instead, TrueVault is offering its service at a fairly competitive price point: $0.001/API call. Yes, that’s 100K calls for $100. Swann says that unlimited file and JSON storage are included in that price. Not bad for a service that offers automatic encryption of all data stored, APIs for searching that encrypted data, audit tracking, proactive monitoring, hashes, uptime and SLA.

The key, though, is search. In order to be compliant with HIPAA, apps have to encrypt their databases, which means your app can’t search their data, and the functionality suffers as a result. TrueVault’s service protects your data and also allows you to query that protected data. Companies can get unlimited file and JSON storage, and search any JSON document and binary field, or have their apps call TrueVault’s Search API directly to quickly add a search interface to their apps.

Today, TrueVault has about 5 million documents stored on its platform and millions of API calls are being made to its APIs every week. The startup has already signed on nearly 200 companies, including image32, LifeVest Health, Weave and Rocky Mountain Health Plans and is growing fast.